Issue

If a user initializes IEC 61850 driver or EPO/PSO runtime before starting wireshark capture, the wireshark trace will not show proper representation of decoded traffic for IEC 61850 Manufacturing Message Specification (MMS) messages and rather shows "Dissector is not available" message in ethernet packets.

Environment

EPO/PSO communication with remote IEDs over IEC 61850 protocol.

Cause

If EPO runtime is started before wireshark capture is started, the initiate-request and initiate-response packets are not captured by wireshark, the presentation data can't be decoded as MMS.

The wireshark will dissect the message until ISO 8823 OSI presentation protocol, but the presentation layer won't be decoded. Have a look at below presentation of data in raw format by wireshark.

The information in "initiate-request and initiate-response" is needed to know what the presentation context is. So if the TCP dissector is not able to determine the type of payload, it will show up as data and the info column will display the TCP information instead of higher-layer information.

Resolution

Option 1

It is best practice to start wireshark first and then start EPO/PSO runtime so the wireshark will capture initialization traffic once the IEC 61850 driver starts.

Option 2

If it is not possible to do option 1, perform the following work around to see the MMS payload in a meaning way.

Open your pcap in wireshark software and go to Edit -> Preferences -> Protocols -> PRES -> Users Context List

Enter Context Id = 3

Enter Syntax name OID = 1.0.9506.2.1

The sample configurations are below.

Note that MMS decoding is activated only for the standard MMS port 102.

After applying these settings, you will be able to see the decoded MMS messages properly as an example below for the same above packet. This shows the boolean status of a logical node.

Released for:Schneider Electric UK